libvirt/daemon
John Ferlan fe8f1c8b86 remote: Fix possible use-after-free when sending event message
Based upon an idea and some research by Wang King <king.wang@huawei.com>
and xinhua.Cao <caoxinhua@huawei.com>.

Since we're assigning the 'client' to our callback event lookaside list,
it's imperative that we grab a reference to the object; otherwise, when
the object is unref'd during virNetServerProcessClients when it's determined
that the virNetServerClientIsClosed and the memory is free'd before perhaps
the object event state callbacks are run.  When a virObjectLock() is run,
before sending the message the following trace occurs;

    #0  0x00007fda223d66d8 in virClassIsDerivedFrom
        (klass=0xdeadbeef, parent=0x7fda24c81b40)
         at util/virobject.c:169
    #1  0x00007fda223d6a1e in virObjectIsClass
        (anyobj=anyobj@entry=0x7fd9e575b400, klass=<optimized out>)
         at util/virobject.c:365
    #2  0x00007fda223d6a44 in virObjectLock
        (anyobj=0x7fd9e575b400)
        at util/virobject.c:317
    #3  0x00007fda22507f71 in virNetServerClientSendMessage
        (client=client@entry=0x7fd9e575b400, msg=msg@entry=0x7fd9ec30de90)
        at rpc/virnetserverclient.c:1422
    #4  0x00007fda230d714d in remoteDispatchObjectEventSend
        (client=0x7fd9e575b400, program=0x7fda24c844e0, procnr=348,
         proc=0x7fda2310e5e0 <xdr_remote_domain_event_callback_tunable_msg>,
         data=0x7ffc3857fdb0)
        at remote.c:3803
    #5  0x00007fda230dd71b in remoteRelayDomainEventTunable
        (conn=<optimized out>, dom=0x7fda27cd7660, params=0x7fda27f3aae0,
         nparams=1,opaque=0x7fd9e6c99e00)
        at remote.c:1033
    #6  0x00007fda224484cb in virDomainEventDispatchDefaultFunc
        (conn=0x7fda27cd0120, event=0x7fda2736ea00, cb=0x7fda230dd610
         <remoteRelayDomainEventTunable>, cbopaque=0x7fd9e6c99e00)
        at conf/domain_event.c:1910
    #7  0x00007fda22446871 in virObjectEventStateDispatchCallbacks
        (callbacks=<optimized out>, callbacks=<optimized out>,
         event=0x7fda2736ea00,state=0x7fda24ca3960)
        at conf/object_event.c:722
    #8  virObjectEventStateQueueDispatch
        (callbacks=0x7fda24c65800, queue=0x7ffc3857fe90, state=0x7fda24ca3960)
        at conf/object_event.c:736
    #9  virObjectEventStateFlush (state=0x7fda24ca3960)
        at conf/object_event.c:814
    #10 virObjectEventTimer (timer=<optimized out>, opaque=0x7fda24ca3960)
        at conf/object_event.c:560
    #11 0x00007fda223ae8b9 in virEventPollDispatchTimeouts ()
        at util/vireventpoll.c:458
    #12 virEventPollRunOnce ()
        at util/vireventpoll.c:654
    #13 0x00007fda223ad1d2 in virEventRunDefaultImpl ()
        at util/virevent.c:314
    #14 0x00007fda225046cd in virNetDaemonRun (dmn=0x7fda24c775c0)
        at rpc/virnetdaemon.c:818
    #15 0x00007fda230d6351 in main (argc=<optimized out>, argv=<optimized out>)
        at libvirtd.c:1623

Signed-off-by: John Ferlan <jferlan@redhat.com>
2017-04-25 07:26:36 -04:00
..
admin_server.c rpc: virnetserver: Rename ClientSetProcessingControls to ClientSetLimits 2016-08-02 14:51:13 +02:00
admin_server.h admin: Introduce virAdmServerSetClientLimits 2016-05-19 12:31:53 +02:00
admin.c admin: Introduce virAdmConnectSetLoggingFilters 2016-12-15 10:36:23 +01:00
admin.h admin: Move admin_server.{h,c} to admin.{h,c} 2016-02-17 12:46:34 +01:00
libvirt.rules polkit: Allow password-less access for 'libvirt' group 2015-05-04 12:57:06 -04:00
libvirtd-config.c libvirtd: add openvitch timeout value 2017-02-09 14:34:08 +01:00
libvirtd-config.h libvirtd: add openvitch timeout value 2017-02-09 14:34:08 +01:00
libvirtd.aug libvirtd: add openvitch timeout value 2017-02-09 14:34:08 +01:00
libvirtd.c Sanity check explicit TLS file paths 2017-03-16 10:49:58 +00:00
libvirtd.conf libvirtd: add openvitch timeout value 2017-02-09 14:34:08 +01:00
libvirtd.h remote: implement secret lifecycle event APIs 2017-01-09 15:53:49 +00:00
libvirtd.init.in Fix LSB requirements in service script and sync them 2016-01-11 15:49:13 +01:00
libvirtd.libxl.logrotate.in libxl: add logrotate config file 2015-05-05 09:08:11 -06:00
libvirtd.logrotate.in
libvirtd.lxc.logrotate.in
libvirtd.pod man: Fix SYNOPSIS section 2016-04-25 15:40:44 +02:00
libvirtd.policy.in
libvirtd.qemu.logrotate.in
libvirtd.sasl Switch to GSSAPI (kerberos) instead of the insecure DIGEST-MD5 2017-03-15 18:14:51 +00:00
libvirtd.service.in Increase default task limit for libvirtd 2017-04-20 09:13:34 -06:00
libvirtd.sysconf daemon: Enhance documentation for changing NOFILE limit 2014-03-20 10:55:44 +01:00
libvirtd.sysctl
libvirtd.uml.logrotate.in
libvirtd.upstart
Makefile.am Split out -Wframe-larger-than warning from WARN_CLFAGS 2017-04-06 12:29:35 +02:00
remote.c remote: Fix possible use-after-free when sending event message 2017-04-25 07:26:36 -04:00
remote.h
stream.c Fix minor typos 2016-12-02 09:25:13 +01:00
stream.h daemon stream: Remove useless empty lines from header file 2016-04-21 16:29:41 +02:00
test_libvirtd.aug.in libvirtd: add openvitch timeout value 2017-02-09 14:34:08 +01:00
THREADS.txt THREADS.txt: fix typos 2017-01-25 09:18:49 +01:00
virt-guest-shutdown.target libvirtd: systemd: add special target for system shutdown 2016-11-23 11:13:53 +03:00